By default, iPXE contains only a single trusted root certificate (the "iPXE root CA" certificate). In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the "iPXE root CA" certificate. These cross-signed certificates are downloaded automatically when needed.

By default, iPXE contains only a single trusted root certificate (the "iPXE root CA" certificate). In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the "iPXE root CA" certificate. These cross-signed certificates are downloaded automatically when needed.

-

The current policy of ''ca.ipxe.org'' is to provide cross-signed certificates for all CAs that are trusted by the [[http://www.mozilla.org/firefox/|Firefox]] web browser. Certificates remain valid for 90 days.

+

The current policy of ''ca.ipxe.org'' is to provide cross-signed certificates for almost all CAs that are trusted by the [[http://www.mozilla.org/firefox/|Firefox]] web browser. Certificates remain valid for 90 days. Cross-signed certificates are not provided for the following CAs:

If you are booting using HTTPS on a private network with no access to [[http://ca.ipxe.org/auto]] then you may wish to create a local mirror, and use the ''crosscert'' setting to direct your clients to download the cross-signed certificates from your local mirror. For example:

If you are booting using HTTPS on a private network with no access to [[http://ca.ipxe.org/auto]] then you may wish to create a local mirror, and use the ''crosscert'' setting to direct your clients to download the cross-signed certificates from your local mirror. For example: